Table of Contents
Microservices approaches such as Kubernetes are changing the way people think about applications, bringing the dual benefits of massive scalability and modularity. Containers abstract the applications away from the systems and network infrastructure. As a result, goes the theory, application developers can create software without having to request network configuration or other operational changes. However, while this idea of masking what goes on “under the bonnet” is good, it can also be a source of risk. Not the least, for example, is that Kubernetes allocates services to server nodes dynamically. This leaves network and security engineers with a limited set of choices: for example, either restrict Kubernetes clusters to only run within a security-controlled subnetwork (which, of course, undermines the very principle of the distributed microservices architecture), or face the need to open up network firewalls to allow clusters to communicate, undermining security and losing visibility on network activity. Considered in isolation, neither option is particularly attractive. Given an already-challenging network environment, with multiple application types (each with different connectivity needs) and permissions systems, constantly changing endpoints, equipment refresh cycles, fault resolution, and new security vulnerabilities emerging all the time, the result creates a new set of problems to be solved. Engineers have only limited time, and such compromises can have knock-on effects on other systems, leading to inefficiency, cost, and frustration.
Micro-segmentation approaches, such as Aporeto, enable application-specific security controls to be allocated while keeping networking and security professionals assured of policy definition and enforcement. This creates a middle ground between an “anything goes” approach and having a fully locked-down environment, allowing application developers to define and control the ways their application elements communicate while working within predefined security stipulations.
In this report, we provide a comprehensive independent review of the Aporeto solution for network and identity management in a multi-cloud deployment. We review the practicalities of deploying Aporeto to deliver a stronger security architecture for Kubernetes container microservice applications running across distributed networks anywhere. We also evaluate the impact on the IT operations team of running Aporeto versus maintaining legacy security practices. The return on investment for an identity-based security solution becomes clear as we progress through the following series of tests.
The GigaOm Multi-Cloud Test Lab environments used in this report include Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure although the findings are relevant for other clouds and on-premises solutions such as VMware, Packet, IBM Softlayer, etc.